Application Scan Tab
The application Scan tab provides various statuses related to your selected application and lets you configure and schedule future scans.
Click on Scan Configuration to configure your scan. Here you can select a scan profile if desired (Default, SCA only, Mobile, Web, or Desktop Application), enable or disable directed remediation, exclude particular languages or files, and/or upload a configuration file (Maven, Gradle, NuGet, NPM, Composer, Yarn, or Bower).
Refer to Scheduling an Application Scan for guidance on this.
Start Pre-Scan is only available for applications that have never been scanned before. Once an application has been scanned once, this option is removed for that particular application.
To run a pre-scan (which will determine the license requirements) click on Start Pre-Scan. A green banner is displayed for success, but if there is an error, you will see a red banner.
Pre-scan typically completes in under 30 minutes and does not consume any licenses. It does not verify or display any vulnerabilities, but rather it is a lightweight scan intended for the following purposes:
to validate scan configurations and codebase access, including the ability to check out code.
to check for scan errors and missing dependencies.
to count the lines of code and determine the file size, to determine the type of license required for a full scan.
to provide a list of files scanned to allow you to exclude files that should not be included in the full scan.
Clicking on Scan Now assigns an appropriate license to this application if necessary and begins the scan. If an appropriate license is not available, the request will be rejected and you will see a red banner.
Full Scan may take up to 24 hours to complete, depending on your application’s complexity and the process will consume one license. This is a deep scan intended for the following purposes:
to perform full static or binary analysis of your application.
to perform Software Composition Analysis and identify open-source and third-party libraries used in your application, with the version, license information and CVEs if available.
to verify and display security vulnerablities found in your application.
Scan status fields:
Field No. Field Name Description
This shows the status of the current scan. This may be Paused for Schedule, Scan Completed, Scan Running, Scanning w/o Credentials (no working credentials available), or WHS Updating Configuration (WhiteHat may from time to time pause scanning to update the configuration of the scanner).
This displays the scanning schedule for the selected application.
Next Scan Scheduled
The date on which the next scan is scheduled to begin.
WhiteHat Asset Size
The relative size of the asset being scanned, according to WhiteHat’s terminology.
Code Sent to WhiteHat (%)
The percentage of the code scanned that was sent to WhiteHat as 'code snippets' to verify potential vulnerabilities.
Last Completed Scan
Most recent date on which a scan was completed.
Last Scan Request By
Provides the name of the user that requested the last scan.
Lines of Code Scanned
Number of lines of code covered in the most recent scan.
Average Lines of Code Scanned
Number of lines of code scanned on average overall.
Last Scanned File Size
File size of the asset in the most recent scan.
Average Scanned File Size
Average file size scanned overall.
Potential Vulnerabilities - Scanner Found
The number of possible vulnerabilities identified by the scan.
Open Vulnerabilities - Verified
The number of verified vulnerabilities currently open for this asset.
This table provides a list of the file types and the count for each file type scanned.
The Scan Log table at the bottom of this screen essentially provides an application scan history for the user. It records the following:
Scan Completed Date, which notes the completion date and timestamp for every scan performed on the selected application.
The File Size that was scanned.
The number of Lines of Code Scanned.
The Codebase Metadata. When View is clicked, the following information displays:
The scanned repository Name.
The URL to the scanned repository.
The Revision sha which notes the exact revision of the codebase that was scanned.
|If no codebase metadata exists, the View link will not appear next to that particular scan.|